Page MenuHomePhabricator
Create Task
Maniphest T396354

Dashboard shows expired credentials as valid
Open, In Progress, Needs TriagePublicBUG REPORT
Actions

Description

image.png (1×3 px, 889 KB)

When loading the dashboard, instead of being redirected to the login form, it shows cached data, and a "Sign out" button.

Updated desc:
A stale window can stay "logged in" without a refresh and user wouldn't know.
Hitting Cognito's /oauth2/userInfo endpoint at an interval like ~60sec and if response.status === 401 redirect to /. At that point we can display a "Your session has expired. Please log in" 'modal' box (not a modal but the alert box I forget the name of).

Acceptance criteria
The dashboard should regularly poll if session is still valid, if expired then redirect user to root (the login form).

ToDo

  • Detect expired credentials and redirect.

Related Objects

Event Timeline

KMontalva-WMF created this task.Jun 9 2025, 1:04 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 9 2025, 1:04 PM
KMontalva-WMF updated the task description. (Show Details)Jun 9 2025, 1:34 PM
creynolds subscribed.Jun 9 2025, 4:39 PM
JArguello-WMF edited projects, added Wikimedia-Enterprise-Kanban-On-Call; removed Wikimedia Enterprise.Sep 9 2025, 1:29 PM
JArguello-WMF subscribed.Sep 9 2025, 1:36 PM

Decide user experience first. it requires UX work, therefore it is not an on call ticket.

JArguello-WMF edited projects, added Wikimedia Enterprise; removed Wikimedia-Enterprise-Kanban-On-Call.Sep 9 2025, 1:37 PM
JArguello-WMF moved this task from Incoming to To Be Estimated/To Be Discussed- Migrating on the Wikimedia Enterprise board.
JArguello-WMF moved this task from To Be Estimated/To Be Discussed- Migrating to Incoming on the Wikimedia Enterprise board.Sep 15 2025, 2:37 PM
JArguello-WMF moved this task from Incoming to Tech Debt- Migrating on the Wikimedia Enterprise board.Sep 15 2025, 2:49 PM
JArguello-WMF added subscribers: JWuyts-WMF, Cpetrillo.Sep 15 2025, 2:51 PM

@JWuyts-WMF and @creynolds will come up with the requirements and Product will prioritize
cc. @Cpetrillo

JWuyts-WMF added a comment.Sep 15 2025, 3:02 PM

I think UX, straightforward, should be:

acceptance criteria:

  • As a user, when I load the dashboard, the dashboard always shows a correct reflection of the # of calls I have left this month.
  • As a user, when I am redirected to the login page, I know why I was redirected and need to log back in.
creynolds added a comment.Sep 16 2025, 5:52 PM

Question if 'polling' is used on session, otherwise a stale window can stay "logged in" and without a refresh user wouldn't know. Hitting Cognito's /oauth2/userInfo endpoint at an interval like 60sec and if response.status === 401 redirect to /. At that point we can display a "Your session has expired. Please log in" 'modal' box (not a modal but the alert box I forget the name of).

RE: the refreshing of user telemetry/stats... Is that not a different ticket as it's unrelated. But that would be a longer interval poll with some caching involved there; to discuss in the/a ticket for that issue.

JArguello-WMF added a comment.Sep 17 2025, 3:09 PM

@creynolds @JWuyts-WMF let me nknow when the refinement of this ticket is done so I can send it to Product for the triage

creynolds added a project: Wikimedia Enterprise Dashboard.Sep 17 2025, 6:03 PM
creynolds updated the task description. (Show Details)Sep 17 2025, 10:52 PM

Updated OP; ready @JArguello-WMF

creynolds mentioned this in T404929: Dashboard to Automatically update 'Requests left' quota in free accounts.Sep 17 2025, 11:21 PM

The added task about updating quota numbers is now created as T404929

creynolds added a comment.Feb 4 2026, 5:00 AM

Related???

Logout Race Condition - #4 in list of Security review in repo /dashboard/-/issues/15
File: src/store/useAuth.ts:52-58

const logout = async () => {
  auth.authorized = initialValue.authorized;  // Cleared before API call
  router.push("/");
  const res = await axios.post("/token-revoke", { refresh_token: auth.refresh_token });

The state is cleared and router navigates away before the token revocation API call completes. If revocation fails, the token remains valid server-side.

Fix: Move state clearing to after successful API response.

KMontalva-WMF added a comment.Feb 4 2026, 9:12 AM

I don't believe that's related @creynolds. logout() is probably used when a user clicks the logout/signout button, but this issue occurs also the user does nothing and just lets their credentials expire.

creynolds changed the task status from Open to In Progress.Wed, Mar 18, 4:59 AM

FIxes proposed in MR46, along with that logout race condition as I was touching that part of code anyway. Need @KMontalva-WMF oversight/review/test.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits